virtio: rng: Check length before copying

Check the length of data written by the device is consistent with the size of the buffers to avoid out-of-bounds memory accesses in case values aren't consistent. Signed-off-by: Andrew Scull <ascull@google.com> Cc: Sughosh Ganu <sughosh.ganu@linaro.org> Reviewed-by: Simon Glass <sjg@chromium.org>
author: Andrew Scull <ascull@google.com> 2022-05-16 13:41:39 +0300
committer: Tom Rini <trini@konsulko.com> 2022-06-08 16:24:04 +0300
commit: 43937a4f5e411b3a82014fe0fa78ef4de90b11c2 (patch)
tree: b5cdedd90ad28a3cc937bd335b5a9e93748b83df /drivers/virtio
parent: 420b3e51f4f64ebc6ab88f751f116e634894b231 (diff)
download: u-boot-43937a4f5e411b3a82014fe0fa78ef4de90b11c2.tar.xz
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/virtio/virtio_rng.c b/drivers/virtio/virtio_rng.c
index 9314c0a03e..b85545c2ee 100644
--- a/drivers/virtio/virtio_rng.c
+++ b/drivers/virtio/virtio_rng.c
@@ -41,6 +41,9 @@ static int virtio_rng_read(struct udevice *dev, void *data, size_t len)
 		while (!virtqueue_get_buf(priv->rng_vq, &rsize))
 			;
 
+		if (rsize > sg.length)
+			return -EIO;
+
 		memcpy(ptr, buf, rsize);
 		len -= rsize;
 		ptr += rsize;
author	Andrew Scull <ascull@google.com>	2022-05-16 13:41:39 +0300
committer	Tom Rini <trini@konsulko.com>	2022-06-08 16:24:04 +0300
commit	43937a4f5e411b3a82014fe0fa78ef4de90b11c2 (patch)
tree	b5cdedd90ad28a3cc937bd335b5a9e93748b83df /drivers/virtio
parent	420b3e51f4f64ebc6ab88f751f116e634894b231 (diff)
download	u-boot-43937a4f5e411b3a82014fe0fa78ef4de90b11c2.tar.xz